Canada introduces mandatory breach notification

The Digital Privacy Act, adopted on 18 June, introduces an explicit obligation to notify individuals in cases of breaches, and report to the Office of the Privacy Commissioner of Canada if it is "reasonable in the circumstances to believe that the breach creates a real risk of significant harm to an individual". Organisations need to keep and maintain a record of every breach of security safeguards involving personal information.

The Digital Privacy Act amends the Personal Information Protection and Electronic Documents Act (PIPEDA). It enables the Privacy Commissioner, in some circumstances, to enter into compliance agreements with organisations that will include any terms that the Commissioner considers necessary to ensure compliance with PIPEDA. The Commissioner may seek a mandatory order from the Federal Court to require compliance with the agreement.The Bill has entered into force apart from the provisions on breach notification.